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Abstract 

We  present  PRIVACYGRID  —  a  framework  for  supporting 
anonymous  location-based  queries  in  mobile  information  de¬ 
livery  systems.  The  PRIVACYGRID  framework  offers  three 
unique  capabilities.  First,  we  provide  a  location  privacy 
preference  profile  model,  called  location  P3P,  which  allows 
mobile  users  to  explicitly  define  their  preferred  location  pri¬ 
vacy  requirements  in  terms  of  both  location  hiding  measures 
(e.g.,  location  k-anonymity  and  location  l-diversity)  and  lo¬ 
cation  sendee  quality  measures  (e.g.,  maximum  spatial  res¬ 
olution  and  maximum  temporal  resolution).  Second,  we  de¬ 
velop  three  fast  and  effective  location  cloaking  algorithms 
for  providing  location  k-anonymity  and  location  l-diversity 
in  a  mobile  environment.  The  Quad  Grid  cloaking  algorithm 
is  fast  but  has  lower  anonymization  success  rate.  The  dy¬ 
namic  bottom-up  or  top-down  grid  cloaking  algorithms  pro¬ 
vide  much  higher  anonymization  success  rate  and  yet  are  effi¬ 
cient  in  terms  of  both  time  complexity  and  maintenance  cost. 
Finally,  we  discuss  a  hybrid  approach  that  combines  the  top- 
down  and  bottom-up  search  of  location  cloaking  regions  to 
further  lower  the  average  anonymization  time.  In  addition, 
we  argue  for  incorporating  temporal  cloaking  into  the  loca¬ 
tion  cloaking  process  to  further  increase  the  success  rate  of 
location  anonymization.  We  also  discuss  the  PRIVACYGRID 
mechanisms  for  anonymous  support  of  range  queries.  Our 
experimental  evaluation  shows  that  the  PRIVACYGRID  ap¬ 
proach  can  provide  optimal  location  anonymity  as  defined  by 
per  user  location  P3P  without  introducing  significant  perfor¬ 
mance  penalties. 

1  Introduction 

With  rapid  advances  in  mobile  communication  technolo¬ 
gies  and  continued  price  reduction  of  location  tracking  de¬ 
vices,  location-based  services  (LBSs)  are  widely  recognized 
as  an  important  feature  of  the  future  computing  environ¬ 
ment  [11].  Though  LBSs  hold  the  promise  of  better  safety, 
more  convenience,  wider  range  of  entertainment  and  busi¬ 
ness  opportunities  in  catering  to  the  growing  market  of  mo¬ 
bile  users,  the  ability  to  locate  mobile  users  and  mobile  ob¬ 
jects  also  presents  new  threats  —  the  intrusion  of  location  pri¬ 
vacy  [10,  16]. 
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Location  privacy  is  a  particular  type  of  information  privacy. 
According  to  [10],  location  privacy  is  defined  as  the  ability  to 
prevent  other  unauthorized  parties  from  learning  ones’  current 
or  past  location.  Location  privacy  threats  refer  to  the  risks  that 
an  adversary  can  obtain  unauthorized  access  to  raw  location 
data,  derived  or  computed  location  information  by  locating  a 
transmitting  device,  hijacking  the  location  transmission  chan¬ 
nel,  and  identifying  the  subject  (person)  using  the  device  [17]. 
In  the  United  States,  privacy  risks  related  to  location  informa¬ 
tion  have  been  identified  in  the  Location  Privacy  Protection 
Act  of  2001  [3].  Many  have  recognized  that  without  safe¬ 
guards,  extensive  deployment  of  LBSs  may  open  doors  for 
adversaries  to  jeopardize  location  privacy  of  mobile  users  and 
to  imperil  LBSs  to  significant  vulnerabilities  for  misuse  and 
abuse  [12,  16,  25].  For  example,  location  information  can  be 
used  to  spam  users  with  unwanted  advertisements  or  to  learn 
about  users’  medical  conditions,  alternative  lifestyles  or  un¬ 
popular  political  or  religious  views.  Inferences  can  be  drawn 
from  visits  to  clinics,  doctors’  offices,  entertainment  clubs  or 
districts,  or  political  events.  Public  location  information  can 
lead  to  physical  harm,  such  as  stalking  or  domestic  abuse. 

Several  approaches  have  been  proposed  for  protecting  lo¬ 
cation  privacy  of  a  user.  Most  of  them  try  to  prevent  dis¬ 
closure  of  unnecessary  information  by  techniques  that  ex¬ 
plicitly  or  implicitly  control  what  information  is  given  to 
whom  and  when.  We  classify  these  techniques  into  three 
categories:  (1)  Location  protection  through  user-defined  or 
system-supplied  privacy  policies;  (2)  Location  protection 
through  anonymous  usage  of  information;  and  (3)  Location 
protection  through  pseudonymity  of  user  identities,  which 
uses  an  internal  pseudonym  rather  than  the  user’s  actual  iden¬ 
tity.  As  described  in  [10],  some  location-based  services  can 
operate  completely  anonymously,  such  as  “when  I  pass  a  gas 
station,  alert  me  with  the  unit  price  of  the  gas”.  Others  can 
not  work  without  the  user’s  identity,  such  as  “ when  I  am  in¬ 
side  the  office  building,  let  my  colleagues  find  out  where  I  am” . 
Between  these  two  extremes  are  those  applications  that  can¬ 
not  be  accessed  anonymously  but  do  not  require  the  user’s  true 
identity,  such  as  “ when  I  walk  past  a  computer  screen,  let  me 
teleport  my  desktop  to  it”.  For  those  LBSs  that  require  our  true 
identity,  strong  security  mechanisms,  such  as  location  authen¬ 
tication  and  authorization,  have  to  be  enforced  in  conjunction 


Public  reporting  burden  for  the  collection  of  information  is  estimated  to  average  1  hour  per  response,  including  the  time  for  reviewing  instructions,  searching  existing  data  sources,  gathering  and 
maintaining  the  data  needed,  and  completing  and  reviewing  the  collection  of  information.  Send  comments  regarding  this  burden  estimate  or  any  other  aspect  of  this  collection  of  information, 
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with  their  location  privacy  policy.  In  this  paper  we  concen¬ 
trate  on  the  class  of  location-based  applications  that  accept 
pseudonyms  and  present  the  PrivacyGrid  framework  for 
performing  personalized  anonymization  of  location  informa¬ 
tion  through  customizable  location  fc-anonymity  and  enabling 
anonymous  location  based  queries  in  mobile  information  de¬ 
livery  systems. 

In  the  context  of  LBSs  and  mobile  users,  location  fc- 
anonymity  refers  to  fc-anonymous  usage  of  location  informa¬ 
tion.  A  subject  is  considered  location  fc-anonymous  if  and 
only  if  the  location  information  sent  from  a  mobile  user  to  a 
LBS  is  indistinguishable  from  the  location  information  of  at 
least  fc  —  1  other  subjects.  A  larger  fc  indicates  more  difficulty 
in  linking  a  location  to  a  particular  user  and  thus  higher  guar¬ 
antees  for  location  privacy.  This  uncertainty  will  increase  with 
the  increasing  value  of  fc.  However,  the  quality  of  the  LBS 
depends  on  the  accuracy  of  location  of  mobile  users,  and  at 
the  same  time,  the  more  accurate  the  location  information  dis¬ 
closed,  the  higher  the  risk  of  location  privacy  being  invaded. 
Perfect  privacy  is  clearly  impossible  as  long  as  communica¬ 
tion  takes  place.  An  important  question  is  how  much  privacy 
protection  is  necessary.  Moreover,  users  often  have  varying 
privacy  needs  in  different  contexts. 

Location  perturbation  is  an  effective  technique  for  imple¬ 
menting  location  fc-anonymity.  One  method  is  to  perturb  the 
location  information  by  reducing  its  location  precision  (reso¬ 
lution)  in  terms  of  time  and  space  [10,  16].  By  reducing  the 
spatial  resolution,  a  spatial  region  that  contains  fc  —  1  other 
subjects’  location  information  will  be  used  to  replace  the  spa¬ 
tial  position  of  the  subject.  By  reducing  the  temporal  resolu¬ 
tion,  the  message  will  be  delayed  for  a  certain  period  of  time, 
which  may  be  long  enough  to  include  fc  —  1  other  subjects’  lo¬ 
cation  information.  The  fundamental  challenge  is  how  to  con¬ 
trol  the  spatial  and  temporal  resolution  reduction  to  the  right 
amount  that  will  allow  LBSs  to  remain  effective  and  valuable, 
while  enabling  mobile  users  to  preserve  the  desired  level  of 
location  privacy. 

In  this  paper,  we  present  PrivacyGrid,  a  framework 
for  supporting  anonymous  location  based  queries  in  mobile 
information  delivery  systems.  The  goal  of  the  Privacy- 
Grid  design  is  to  provide  a  unified  and  yet  effective  location 
anonymization  framework  for  all  types  of  location  queries  so 
that  mobile  users  can  enjoy  LBSs  without  revealing  their  exact 
location  information.  This  paper  makes  three  unique  contri¬ 
butions. 

•  First,  we  provide  a  location  privacy  preference  profile 
model,  called  location  P3P,  which  allows  mobile  users 
to  explicitly  define  their  preferred  location  privacy  re¬ 
quirements  in  terms  of  both  location  hiding  measures 
(i.e.,  location  k-anonymity  and  location  1-diversity)  and 
location  service  quality  measures  (i.e.,  maximum  spatial 
resolution  and  maximum  temporal  resolution).  Our  loca¬ 
tion  P3P  model  supports  personalized  and  continuously 
changing  privacy  needs  of  a  diverse  user  base. 

•  Second,  we  develop  three  fast  and  effective  location 


cloaking  algorithms  for  providing  location  k-anonymity 
and  location  1-diversity  while  maintaining  the  utility  of 
LBSs.  The  Quad  Grid  cloaking  algorithm  is  simple  and 
fast  but  has  low  success  rate  for  location  anonymiza¬ 
tion.  In  contrast,  the  dynamic  bottom-up  grid  cloaking 
and  the  dynamic  top-down  grid  cloaking  provide  high 
anonymization  success  rate  and  yet  are  efficient  in  terms 
of  both  time  complexity  and  grid  index  maintenance  cost. 
All  three  algorithms  can  dynamically  compose  the  lo¬ 
cation  cloaking  regions  and  select  the  smallest  one  that 
meets  both  the  location  anonymity  requirements  and  the 
location  QoS  requirements  as  specified  in  users’  location 
P3P  profiles. 

•  Third,  we  describe  a  hybrid  approach  that  combines  the 
top-down  and  bottom-up  search  of  the  minimal  location 
cloaking  regions  to  further  lower  the  average  anonymiza¬ 
tion  time.  In  addition,  we  briefly  describe  the  possible 
increase  of  the  anynimization  success  rate  by  a  careful 
combination  of  temporal  cloaking  with  spatial  cloaking. 

•  We  also  describe  the  mechanisms  for  processing  per¬ 
turbed  location  range  queries. 

•  Finally,  we  conduct  extensive  experimental  evaluation 
of  PrivacyGrid  approach,  showing  that  the  Pri¬ 
vacyGrid  algorithms  can  provide  optimal  location 
anonymity  as  defined  by  per  user  location  P3P  without 
introducing  significant  performance  penalties. 

The  rest  of  this  paper  is  organized  as  follows.  We  give 
an  overview  of  the  PrivacyGrid  framework  in  Section  2. 
We  present  the  three  grid-based  spatial  cloaking  algorithms 
in  Section  3  and  discuss  their  efficiency  and  effectiveness 
through  analysis  and  examples.  We  extend  spatial  cloaking 
by  introducing  two  possible  enhancements  in  Section  4  and 
discuss  the  mechanisms  for  processing  anonymized  location 
queries  at  the  LBS  servers  in  Section  5.  We  report  our  exper¬ 
imental  evaluation  results  in  Section  6  and  discuss  the  related 
work  in  Section  7.  Section  8  concludes  the  paper  with  a  sum¬ 
mary  and  brief  discussion  of  future  work. 

2  PrivacyGrid:  An  Overview 

We  assume  that  the  LBS  system  powered  by  Privacy- 
Grid  consists  of  mobile  users  (clients),  wireless  network,  lo¬ 
cation  anonymization  server,  and  LBS  servers.  Mobile  users 
communicate  with  the  LBS  servers  through  one  or  more  Pri¬ 
vacyGrid  location  anonymization  servers.  Each  mobile 
user  establishes  communication  with  an  anonymization  server 
through  an  authenticated  and  encrypted  connection.  Each  lo¬ 
cation  anonymization  server  connects  to  a  number  of  base 
stations,  tracks  the  location  updates  of  the  mobile  users  in 
the  range  of  those  base  stations,  and  performs  the  location 
anonymization  for  both  location  queries  and  location  updates 
from  these  mobile  users. 

In  this  section,  we  present  an  overview  of  PrivacyGrid. 
We  first  describe  the  three  tier  system  architecture  of  Pri¬ 
vacyGrid  and  briefly  discuss  the  set  of  location  privacy  re- 
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Fig.  1 :  System  Architecture 

quirements.  Then  we  define  the  basic  concepts  used  through¬ 
out  the  paper  and  outline  the  location  anonymization  process. 

2.1  System  Architecture 

The  PrivacyGrid  system  promotes  the  three-tier  archi¬ 
tecture  for  supporting  anonymous  information  delivery  in  a 
mobile  environment,  as  shown  in  Figure  1.  The  top  tier  is 
the  modeling  of  users’  personal  location  privacy  requirements. 
The  middle  tier  is  the  location  perturbation  service  typically 
provided  by  a  trusted  third  party  location  server,  specialized 
in  location  tracking  and  anonymization  service.  The  third  tier 
is  the  processing  of  cloaked  location  queries  at  the  individ¬ 
ual  LBS  providers.  A  number  of  research  and  development 
projects  have  used  the  trusted  third  party  location  anonymizer 
infrastructure  [16,  14,  21]  for  protecting  location  privacy  of 
mobile  users. 

We  devise  our  location  privacy  preference  profile  model 
to  allow  mobile  users  to  specify  what,  when,  how  (and  with 
whom)  their  location  information  could  be  shared.  In  addition 
to  the  standard  P3P  specification  [4],  we  add  four  location  pri¬ 
vacy  specific  measures  and  refer  to  them  as  location  P3P.  The 
first  measure  is  the  location  k-anonymity,  which  allows  the 
mobile  user  to  control  her  state  of  being  not  identifiable  from 
a  set  of  k  —  1  other  users.  The  second  measure  is  the  loca¬ 
tion  l-diversity,  which  allows  the  mobile  user  to  control  her 
state  of  being  not  identifiable  from  a  set  of  l  actual  (physical) 
locations  (such  as  buildings  or  postal  addresses).  This  mea¬ 
sure  can  be  seen  as  a  companion  measure  of  the  location  k 
anonymity,  and  is  particularly  useful  in  reducing  the  risks  of 
unwanted  location  inference  when  there  are  k  or  more  distinct 
users  at  a  single  physical  location  (such  as  a  clinic  office  or  a 
political  event  gathering).  The  third  measure  is  the  maximum 
spatial  resolution,  which  allows  the  mobile  user  to  control  the 
spatial  resolution  reduction  within  an  acceptable  level  of  QoS. 
It  can  be  changed  or  adjusted  according  to  the  type  of  location 
services  and  the  time  of  day,  month,  or  year  when  the  LBS  are 
being  offered.  Similarly,  the  fourth  measure  is  the  maximum 
temporal  resolution,  which  controls  the  temporal  resolution 
reduction  within  the  acceptable  duration  of  time  to  keep  the 


perceived  QoS  of  the  mobile  user  within  an  acceptable  delay 
based  on  the  type  of  location  services  and  the  time  when  the 
LBS  is  being  requested. 

The  middle  tier  is  the  location  perturbation  service  typi¬ 
cally  offered  by  a  third  party  location  anonymization  server. 
The  location  anonymization  server  anonymizes  the  location 
information  from  mobile  users  before  it  can  be  passed  to  the 
actual  LBS  providers.  In  the  first  prototype  of  PrivacyGrid, 
we  use  the  spatial  and  temporal  location  cloaking  techniques 
to  perform  location  perturbation.  The  location  information 
of  a  mobile  user  (such  as  her  position  update  or  the  position 
where  she  poses  a  location  query)  will  be  mapped  to  a  loca¬ 
tion  cloaking  box  based  on  the  location  P3P  of  the  user.  For 
those  mobile  users  that  do  not  want  to  be  tracked  by  others, 
no  perturbation  will  be  performed  on  their  location  updates. 
For  those  LBSs  that  offer  location  dependent  information  over 
public  data,  such  as  restaurants,  gas  stations,  offices,  and  so 
forth,  no  location  updates  of  mobile  users  will  be  passed  from 
the  location  anonymization  servers  to  the  LBS  servers.  Mo¬ 
bile  users  who  wish  to  allow  their  movements  to  be  tracked  by 
certain  LBSs  or  some  group  mobile  users  may  use  their  loca¬ 
tion  P3P  to  specify  how  they  want  their  location  updates  to  be 
cloaked  and  to  which  LBS  servers  their  location  updates  can 
be  provided.  Similarly,  for  location  queries,  there  are  a  couple 
of  alternative  ways  for  the  location  anonymizer  service  to  pass 
the  location  cloaking  box  to  the  corresponding  LBS  provider. 
For  example,  one  can  choose  to  have  the  location  anonymizer 
as  the  middleman  between  mobile  users  and  individual  LBS 
providers  such  that  location  queries  are  posted  to  the  location 
anonymizer  and  passed  to  the  LBS  provider  and  the  result  is 
returned  to  the  mobile  user  through  the  location  anonymizer. 
Alternatively,  before  contacting  the  LBS  provider  directly,  a 
mobile  user  can  have  her  location  information  filtered  by  re¬ 
ducing  its  precision/resolution  in  terms  of  time  and  space  ac¬ 
cording  to  her  location  P3P,  ensuring  that  the  location  queries 
sent  to  the  LBS  meet  her  desired  location  fc-anonymity  and 
location  /-diversity  requirements.  In  the  subsequent  sections 
we  present  the  PrivacyGrid  algorithms  for  efficient  and  ef¬ 
fective  location  cloaking  in  Section  3. 

It  is  important  to  note  that  location  perturbation  may  result 
in  the  fact  that  the  LBS  provider  sends  more  than  requested  re¬ 
sults  back  to  the  mobile  user.  Thus  the  mobile  node  needs  to 
perform  further  filtering  before  presenting  the  results  to  the 
mobile  user,  leading  to  additional  communication  and  pro¬ 
cessing  overhead  on  mobile  nodes.  Thus,  the  third  tier  of  Pri¬ 
vacyGrid  is  dedicated  to  the  methods  for  efficient  process¬ 
ing  of  perturbed  location  queries  at  the  individual  LBS  server. 
In  contrast  to  the  existing  literature  on  location  query  process¬ 
ing  that  concentrates  on  spatial  positions  (points),  we  need  to 
extend  some  existing  spatial  query  processing  methods  to  spa¬ 
tial  region  based  techniques.  For  example,  [21]  described  an 
approach  to  process  location  cloaked  kNN  queries. 

2.2  Location  Privacy  Requirements 

In  PrivacyGrid  the  following  requirements  are  consid¬ 
ered  essential  for  supporting  anonymous  location  queries. 


1.  Personalized  User  Privacy  Levels:  We  argue  that  lo¬ 
cation  privacy  consists  of  two  measures:  location  k- 
anonymity  and  location  /-diversity.  The  former  allows 
a  mobile  user  to  control  a  state  of  being  not  identifiable 
from  a  set  of  k  —  1  other  users.  The  latter  allows  a  mo¬ 
bile  user  to  control  a  state  of  being  not  identifiable  from 
a  set  of  Z  actual  (physical)  locations  (such  as  buildings 
or  postal  addresses).  These  two  measures  are  compli¬ 
mentary  and  particularly  useful  in  reducing  the  risks  of 
unwanted  location  inference  when  there  are  more  than 
k  —  1  distinct  users  at  a  single  physical  location  (such  as 
a  clinic  office  or  a  church).  The  system  must  have  the 
capability  to  allow  a  mobile  user  to  specify  the  desired 
k  value  for  location  k-anonymity  and  the  desired  Z  value 
for  location  I-diversity  for  each  of  her  location  updates 
or  location  queries.  The  user  may  change  her  privacy 
preference  levels  as  often  as  required  or  even  on  a  per 
message  basis. 

2.  QoS  Guarantees:  The  PrivacyGrid  framework  pro¬ 
vides  a  mobile  user  with  the  capability  of  specifying  two 
QoS  metrics:  (1)  the  maximum  spatial  resolution,  indi¬ 
cating  that  the  amount  of  spatial  inaccuracy  she  can  toler¬ 
ate  to  maintain  meaningful  and  acceptable  service  qual¬ 
ity;  and  (2)  the  maximum  temporal  resolution,  ensuring 
that  the  delay  introduced  for  location  cloaking  is  accept¬ 
able  from  QoS  standpoint.  By  utilizing  these  two  quality 
metrics,  PrivacyGrid  aims  at  devising  location  cloak¬ 
ing  algorithms  that  find  the  smallest  possible  cloaking  re¬ 
gion  for  each  location  cloaking  request  of  a  mobile  user, 
which  satisfies  her  privacy  requirements  defined  by  loca¬ 
tion  /c-anonymity  and  location  /-diversity. 

3.  Dynamic  Tradeoff  between  privacy  and  quality: 
PrivacyGrid  location  perturbation  algorithms  should 
be  capable  of  dynamically  making  tradeoffs  between  lo¬ 
cation  privacy  and  location  QoS.  Unnecessarily  large 
cloaking  boxes  will  lead  to  poor  QoS  in  terms  of  larger 
result  set  to  transport  and  filter  at  the  mobile  client  side, 
inevitably  leading  to  higher  delays  for  obtaining  useful 
query  results. 

4.  Efficiency  and  Scalability:  In  PrivacyGrid  a  mobile 
user  can  change  her  location  P3P  at  any  time.  The  cloak¬ 
ing  algorithms  should  be  effective  and  scalable  in  the 
presence  of  changing  requirements  on  both  the  number 
of  mobile  users  and  the  content  of  location  P3P.  At  the 
same  time,  the  cloaking  algorithms  must  be  fast,  keeping 
the  perceived  delays  due  to  location  anomymization  as 
low  as  possible. 

5.  Unified  Framework:  A  single  unified  framework 
should  be  devised  to  meet  personalized  and  customizable 
location  anonymization  demands  and  support  a  variety  of 
anonymous  LBSs  with  respectable  performance,  privacy 
guarantees  and  quality  assurance. 

2.3  Basic  Concepts 

In  this  section  we  only  defines  the  basic  concepts  that  are 
required  for  the  subsequent  discussion  of  the  PrivacyGrid 


framework. 

Universe  of  Discourse  (UoD):  We  refer  to  the  geographical 
area  of  interest  as  the  universe  of  discourse  (or  map),  which  is 
defined  by  U  =  Rect(x ,  y,  w ,  h),  where  x  is  the  x-coordinate 
and  y  is  the  y-coordinate  of  the  lower  left  corner  of  a  rectangu¬ 
lar  region,  w  is  the  width  and  h  is  the  height  of  the  universe  of 
discourse.  Basically,  we  consider  maps  which  are  rectangular 
in  shape. 

Grid  and  Grid  cells:  In  our  framework,  we  map  the  universe 
of  discourse  U  =  Rect(x,y,w,  h)  onto  a  grid  G  of  cells. 
Each  grid  cell  is  an  a  x  (3  rectangular  area,  where  a,  p  are 
system  parameters  that  defines  the  cell  size  of  the  grid  G.  For¬ 
mally,  a  grid  corresponding  to  the  universe  of  discourse  U  can 
be  defined  as  G{U ,  a,  j3)  =  {A,  ,-  :  1  <  i  <  M ,  1  <  j  <  N, 
Aij  =  Rect(x  +  i  x  ct,  y  +  j  x  /3,  a,  /3),  M  =  \w/oi\ ,  N  = 
\h/0]}.  At  j  is  an  a  x  f3  rectangular  area  representing  the 
grid  cell  that  is  located  in  the  Zth  column  and  jth  row  of  the 
grid  G. 

Position  to  Grid  Cell  Mapping:  Let  p  =  (px ,  py )  be  the 

position  of  a  moving  object  in  the  universe  of  discourse 
U  =  Rect(x,y,w,  h).  Let  A,;7-  denote  a  cell  in  the  grid 
G(U ,  a,  (3).  Pmapip)  is  a  position  to  grid  cell  mapping,  de¬ 
fined  as  Pmap(p)  =  A^-^  ^py-vy 

Current  Grid  Cell  of  a  Moving  Object:  Current  grid  cell 
of  a  moving  object  is  the  grid  cell  which  contains  the  current 
position  of  the  moving  object.  If  om  is  a  moving  object  whose 
current  position,  denoted  as  p,  is  in  the  Universe  of  Discourse 
U,  then  the  current  grid  cell  of  the  object  is  formally  defined 
by  curr_cell(om )  =  Pmapipp). 

User  Privacy  Preference  Profile:  In  PrivacyGrid 

a  personalized  location  privacy  model  is  used.  A  user 
registered  with  the  anonymization  server  specifies  her  lo¬ 
cation  privacy  requirements  in  terms  of  her  desired  user 
anonymity  level  k ,  desired  location  diversity  level  /,  max¬ 
imum  spatial  resolution  {dx,dy},  and  maximum  tem¬ 
poral  resolution  dt ■  Each  location  P3P  record  is  of 
the  form  (objectidl  LBSinf0,  requests,  k,l,{dx,dy,dt}), 
where  objects  identifies  the  user,  LBSinf0  is  optional  and 
provides  the  type  and  the  identifier  of  the  LBS  this  P3P  record 
is  applied  to,  and  requestid  is  optional  and  is  used  to  uniquely 
identify  a  service  request  posed  by  the  user  with  the  given 
objectid .  We  use  k  =  1  and  /  =  1  as  the  default  setting  (nei¬ 
ther  anonymity  nor  diversity  is  required).  When  k  =  1  and 
l  =  1,  dxi  dy ,  dt  are  set  to  nil. 

2.4  Location  Anonymization  Server 

In  PrivacyGrid,  each  incoming  location  service  re¬ 
quest  ms  received  by  the  location  anonymization  server  is  of 
the  form  ( objectid ,  requests,  {x,  y,  t},  F,  k,  /,  {dx,  dy,dt}). 
The  objectid  and  requestid  uniquely  identify  a  message.  The 
coordinate  (x,  y)  and  the  timestamp  t  together  form  the  three 
dimensional  spatio-temporal  location  point  of  the  mobile  user 
who  issued  the  message  ms.  F  denotes  the  content  filter  of 
the  request,  such  as  gas  stations,  french  restaurants,  or  yel¬ 
low  taxi  cabs.  The  parameters  {fc,  Z,  dx,  dy,  dt}  denote  the 
location  P3P  specified  by  the  mobile  user  who  issued  this 


request.  The  location  anonymization  server  will  transform 
the  original  message  ms  to  a  location  perturbed  message 
mt  of  the  form  (h(objectid\\requestid),  {X  :  [xs,xe],Y  : 
[ySlye\,I  :  [is,  te]},  F}},  where  h  is  a  secure  hash  function, 
X  :  [xs ,  xe\  and  Y  :  [ys ,  ye\  denote  the  spatial  cloaking  box 
of  the  message  on  x-axis  and  y-axis  respectively,  such  that 
xe  -  x,  x  -  xs  <  dx  and  ye  -  y,  y  -  ys  <  dy\  and  I  :  [ts,  te] 
denotes  the  temporal  cloaking  interval  such  that  te—ts  <  dt- 
Furthermore,  there  are  more  than  k  —  1  other  mobile  users 
and  more  than  l  symbolic  addresses  located  within  the  same 
spatio-temporal  cloaking  box  defined  by  ( X  :  [xs,xe],Y  : 
[ysiUe],!  '■  [ts,te])-  We  call  this  process  message  perturba¬ 
tion  through  spatio-temporal  cloaking.  We  will  describe  the 
three  grid-based  spatial  cloaking  algorithms  for  finding  the 
minimal  spatial  cloaking  box  —  (X  :  [xs,xe],Y  :  [ys,ye]) 
and  the  minimal  temporal  cloaking  period  I  :  [t s ,  te]  that  meet 
the  k-anonymity  and  1-diversity  requirement  in  the  subsequent 
sections. 

3  PrivacyGrid  Spatial  Cloaking  Algorithms 

In  this  section  we  first  describe  the  basic  Quad  Grid  al¬ 
gorithm  for  finding  the  minimal  spatial  cloaking  box  for  the 
given  location  of  a  mobile  user.  By  minimal,  we  mean  that 
there  exist  no  smaller  spatial  cloaking  regions  that  satisfy  both 
location  fc-anonymity  and  location  /-diversity  as  well  as  max¬ 
imum  spatio-temporal  resolution  constraints  defined  in  the 
users’  location  P3P.  We  then  present  two  dynamic  grid-based 
cloaking  algorithms:  bottom  up  spatial  cloaking  and  top-down 
spatial  cloaking.  Both  provide  much  higher  anonymization 
success  rate  than  the  basic  Quad  Grid  cloaking  algorithm  and 
reduced  grid  maintenance  cost  while  keeping  the  desired  per¬ 
formance. 

We  first  give  an  overview  of  the  basic  data  structures  used 
in  PrivacyGrid.  Then  we  introduce  the  Quad  Grid  cloaking 
approach  and  illustrate  the  algorithm  by  examples.  Bottom-up 
and  Top-down  spatial  cloaking  are  introduced  as  two  dynamic 
grid  cloaking  algorithms  that  improve  the  cloaking  effective¬ 
ness  of  the  Quad  Grid  approach. 

3.1  Data  Structures 

In  PrivacyGrid,  the  entire  map  is  divided  into  a  grid  of 
cells  of  size  a  x  (3.  a  and  3  are  system-defined  parameters. 
Each  mobile  user  is  responsible  for  reporting  its  location  to 
the  anonymization  server  either  periodically  or  when  it  moves 
outside  its  current  grid  cell  [13].  Upon  receiving  a  location 
update,  the  location  anonymization  server  maintains  the  fol¬ 
lowing  data  structure:  the  mapping  of  a  mobile  user’s  position 
to  its  current  grid  cell,  the  CellObjectCountMap  (to  be  defined 
below),  and  the  hierarchical  grid  index.  When  a  mobile  user 
moves  out  of  its  current  cell  Ct  and  entered  a  new  cell  Cj ,  the 
grid  index  needs  to  be  updated  for  both  cells  on  their  CellOb¬ 
jectCountMap.  Figure  2  illustrates  the  hierarchical  grid  index 
and  the  Cell  Object  Count  Map  by  an  example. 

Cell  Object  Count  Map:  In  addition  to  the  grid  cell  to  object 
mapping  maintained  by  the  grid  index,  we  also  keep  a  count  of 
the  number  of  mobile  objects  and  the  number  of  still  objects 


Fig.  2:  Grid  Index  Data  Structures  for  PrivacyGrid 

(so-called  symbolic  addresses,  such  as  gas  stations,  restau¬ 
rants,  offices,  and  so  forth)  located  in  each  grid  cell.  This 
allows  for  quick  computation  of  the  total  number  of  mobile 
users  and  the  total  number  of  still  objects  located  in  a  given 
spatial  area  using  the  grid  cells  and  the  grid  index.  For  each 
grid  cell,  the  count  of  still  objects  remains  unchanged  most  of 
the  time.  However,  the  count  of  mobile  objects  may  change  as 
mobile  users  move  from  one  grid  cell  to  another.  The  mobile 
users’  movement  across  its  current  grid  cell  requires  the  mo¬ 
bile  object  count  for  the  old  cell  to  be  reduced  by  one  and  the 
corresponding  count  for  the  new  cell  to  be  increased  by  one. 
Hierarchical  Grid  Index:  The  Hierarchical  Grid  Index 
(HGI)  is  a  multi-level  [24]  data  structure  which  allows  for  fast 
and  efficient  computation  of  object  counts  belonging  to  a  par¬ 
ticular  region  of  the  map.  The  construction  of  a  HGI  is  shown 
in  Figure  2  and  is  performed  by  subsequent  splitting  of  grid 
cells  into  four  smaller  equal  sized  cells  at  the  next  lower  level 
of  the  index.  The  number  of  cells  at  the  level  l  (<  0)  of  the 
index  is  41,  where  l  indicates  the  level  of  the  index.  At  level 
zero  (/  =  0)  the  index  comprises  of  a  single  cell  representing 
the  entire  map.  This  cell  is  split  into  four  equal  sized  cells  to 
form  level  one  of  the  index.  We  call  the  cell  at  level  i  the  par¬ 
ent  cell  of  the  four  children  cells  at  level  j  where  j  =  i  +  1. 
Subsequently  the  cells  at  level  j  may  further  be  split  into  four 
cells  each  to  form  the  level  j  +  1  of  the  index.  Figure  2  dis¬ 
plays  an  HGI  structure  of  height  three  (Z  =  2)  showing  the 
parent-child  cell  relationships  for  each  level  of  the  index.  The 
HGI  maintains  the  object  to  cell  mapping  only  for  the  lowest 
level  of  the  index.  However,  the  cell  object  count  map  is  also 
maintained  for  the  higher  levels  of  the  index  in  order  to  aid 
fast  calculation  of  cloaking  areas  (see  Section  3.2  for  detail). 
Mobile  object  movement  may  lead  to  changes  in  the  mobile 
object  count  for  cells  at  the  lowest  level  and  for  the  subsequent 
parent  cells  too. 


3.2  The  Quad  Grid  Cloaking  Algorithm 


The  Quad  Grid  Cloaking  algorithm  presents  a  basic  and 
straightforward  way  of  utilizing  the  HGI  data  structure  to 
perform  spatial  cloaking.  The  algorithm  takes  as  the  input 
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Fig.  3:  Quad  Grid  Cloaking  Example 

the  original  message  ms  from  a  mobile  user  and  produces 
the  perturbed  message  mt  by  replacing  the  two  dimensional 
spatial  location  point  (x,y)  with  the  minimal  spatial  cloak¬ 
ing  box  ( X  :  [xs,xe\,Y  :  [ys,ye}),  which  satisfies  the  mo¬ 
bile  users’  location  privacy  requirement  {k,l},  and  the  lo¬ 
cation  service  quality  requirement  {dx,  dy,  dt}.  Algorithm  1 
presents  a  sketch  of  the  algorithmic  detail.  It  first  invokes  the 
GridlndexSearch  function  to  obtain  the  current  cell  identifier 
(cid)  of  the  mobile  user  using  her  objects  and  her  current 
spatial  location  point  (x,y).  Then  the  algorithm  performs 
the  spatial  cloaking  recursively  and  each  iteration  proceeds 
in  three  steps.  It  first  locates  the  number  of  moving  objects 
(MN)  and  the  number  of  still  objects  (SN)  in  the  current  cell 
cid.  Then  it  compares  {MN,  SN}  with  the  location  privacy 
requirement  {k,  1}  of  the  mobile  user  (object id)  and  computes 
the  minimal  spatial  cloaking  box.  If  the  current  cell  does  not 
meet  the  anonymity  requirements,  then  the  parent  cell  of  cid 
will  be  used  to  start  the  next  iteration. 


Concretely,  the  algorithm  first  uses  the  current  cell  identi¬ 
fier  for  the  mobile  user  to  obtain  the  number  of  moving  objects 
(MN)  and  the  number  of  still  objects  (SN)  within  this  partic¬ 
ular  cell  by  searching  the  Cell  Object  Count  Map  data  struc¬ 
ture.  Then  it  performs  fc-anonymity  and  /-diversity  check  on 
this  grid  cell.  If  MN  >  k  and  SN  >  l,  then  this  single  cell 
can  potentially  form  the  spatial  cloaking  box  for  this  request 
and  may  be  returned  as  the  answer  after  verifying  that  it  does 
not  violate  the  maximum  spatial  resolution  constraints  (lines 
2-5).  Otherwise,  the  algorithm  attempts  to  extend  the  search 
for  cloaking  box  in  vertical  or  horizontal  direction  of  the  cur¬ 
rent  cell.  We  define  the  vertical  neighbor  (cidv)  of  cell  cid 
as  the  cell  located  above  or  below  cid  with  the  same  parent 
cell  in  the  HGI.  The  horizontal  neighbor  (cidh)  is  identified 
as  the  cell  located  on  either  side  of  cid  with  the  same  parent 
cell  in  the  HGI.  The  algorithm  will  then  calculate  the  object 
counts  MN  and  SN  of  cid  and  cidv  as  well  as  cid  and  cidh 
as  shown  in  line  8  of  the  algorithm.  If  only  one  of  these  two 
cell  combinations  satisfies  the  /c-anonymity  and  /-diversity  re¬ 
quirement  (lines  9-17),  the  algorithm  attempts  to  choose  that 
combination  to  continue  the  verification  of  whether  it  meets 


Algorithm  1  Quad  Grid  Cloaking 

Input:  { objectid ,  requests,  x,  y,  t],  {dx,dy,  dt},  {k,  1} 
Output:  Minimal  SpatialC looking  Box 
1:  cid  * —  GridIndexSearch(objectid,x,y ) 

2:  FUNCTION  QUAD_GRID_CLOAKING(/c,  /,  {.x\  y\, 

3-  {dx ,  dy} ,  cid) 

4:  (MN,  SN)  < —  CellObjectCountMapSearch(cid) 

5:  if  ( cid.MN  >  k)  &&  (cid.SN  >  /)  then 
6:  CheckCloakingBoxValidity(x ,  y,  dx,  dy ) 

7:  return  cid; 

8:  end  if 

9:  cidv  - —  Vertical  neighbor  cell  of  cid. 

10:  cidh  ‘ —  Horizontal  neighbor  cell  of  cid. 

11:  MNV  =  cid.MN  +  cidv.MN;  MNh  =  cid.MN  + 
cidh-MN', 

12:  SNV  =  cid.SN+cidy.SN;  SNh  =  cid.SN +cidh-SN', 
13:  if  (((MNV  >  k)  &&  (SNV  >  /))  ||  ((MNh  >  k)  && 
(SNh  >  /)))  then 

14:  if  ((MNV  >  k  &&  MNh  >k&&  MNh  >  MNV)  || 

MNV  <  k)  then 

15:  CheckCloakingBoxValidity(x,  y,  dx,dy) 

16:  return  cid,  cidh', 

17:  else 

18:  if  (MNh  ==  MNy)  then 

19:  if  (SNh  >  SNV)  then 

20:  CheckCloakingBoxValidity(x,  y,  dx,  dy) 

21:  return  cid,  cidh', 

22:  else 

23:  CheckCloakingBoxValidity(x,  y,  dx,  dy) 

24:  return  cid,  cidv\ 

25:  end  if 

26:  end  if 

27:  else 

28:  CheckCloakingBoxValidity(x,  y,  dx,dy) 

29:  return  cid,  cidv; 

30:  end  if 

31:  else 

32:  QUAD_GRID_CLOAKING(fc,  l,  {x,  y).  {dx,  dy}, 

PARENT(dd)); 

33:  end  if 

the  maximum  spatial  resolution  constraint.  If  both  cell  com¬ 
binations  satisfy  the  /.'-anonymity  and  /-diversity  requirement, 
the  algorithm  picks  the  combination  which  provides  a  higher 
k  anonymity  level  (or  higher  /-diversity  level  when  both  com¬ 
binations  have  the  same  k  value).  Upon  passing  the  privacy 
check,  the  algorithm  will  validate  whether  the  selected  cell 
combination  meets  the  maximum  spatial  resolution  constraint 
of  this  request,  and  if  so,  it  is  returned  as  the  minimal  spatial 
cloaking  box  (line  1 1  and  line  14).  However,  if  this  selected 
cloaking  box  is  does  not  meet  the  maximum  spatial  resolu¬ 
tion  requirement  (i.e.,  bigger  than  the  range  defined  by  the 
maximum  spatial  resolution),  the  algorithm  has  to  drop  this 
message  (unless  temporal  cloaking  is  turned  on).  In  case  that 
neither  of  the  two  combinations  satisfy  the  fc-anonymity  and 
/-divrsity  requirements,  the  algorithm  starts  the  next  iteration 


Fig.  4:  Quad  Grid  Cloaking  Weakness 
with  the  parent  cell  of  the  current  cid. 

We  illustrate  the  working  of  Algorithm  1  by  example.  Fig¬ 
ure  3(a)  displays  a  HGI  structure  of  height  two.  For  simplicity 
we  only  display  the  mobile  object  count  for  each  cell  at  a  par¬ 
ticular  time  instant  within  each  cell  since  the  still  object  count 
is  relatively  stable.  We  observe  that  the  mobile  object  count 
for  each  cell  at  level  one  is  the  sum  of  the  object  counts  for 
its  children  cells  at  level  two.  Figure  3(b)  illustrates  the  work¬ 
ing  of  the  Quad  Grid  Cloaking  algorithm  for  a  given  location 
anonymization  request  issued  by  a  mobile  object  within  the 
shaded  cell  (the  cell  with  object  count  of  6).  Suppose  that 
this  anonymization  request  has  the  /,: -anonymity  level  set  to 
k  =  20.  Neither  MNV  =  12  nor  MN h  =  10  satisfy  this  k- 
anonymity  requirement  of  20,  so  the  algorithm  selects  the  par¬ 
ent  cell  at  level  one  of  HGI.  However,  this  parent  cell  has  the 
mobile  object  count  of  18,  thus  it  is  still  insufficient  to  meet 
the  desired  fc-anonymity  level  of  20.  The  algorithm  needs  to 
further  expand  the  candidate  cloaking  box  in  either  vertical 
or  horizontal  direction.  If  the  expansion  proceeds  in  vertical 
direction,  the  candidate  cloaking  box  provides  k-anonymity 
level  of  k’=  30,  otherwise  we  obtain  k’=33  by  expanding  the 
box  in  the  horizontal  direction.  Given  that  the  cloaking  area 
will  be  the  same  irrespective  of  whether  the  expansion  is  along 
the  vertical  or  horizontal  direction,  the  algorithm  selects  the 
candidate  cell  combination  that  provides  a  higher  anonymity 
level.  In  this  example,  the  horizontal  expansion  is  chosen  as 
the  final  cloaking  box  as  displayed  in  the  shaded  area  at  the 
bottom  left  part  of  Figure  3(b). 

3.3  Problems  with  Quad  Grid  Cloaking 

The  Quad  Grid  cloaking  algorithm  is  extremely  fast  as  it 
uses  the  HGI  data  structure  that  maintains  the  object  counts 
at  different  levels  of  the  Grid  index.  However,  the  algorithm 
is  restricted  by  the  static  nature  of  the  Quad  Grid  data  struc¬ 
ture  when  performing  the  cell-based  expansion  for  finding 
the  minimal  spatial  cloaking  box  that  meets  both  privacy  and 
quality  constraints  of  the  mobile  user.  We  illustrate  the  per¬ 
formance  penalty  of  this  problem  by  example  in  this  section 
and  provide  experimental  evaluation  to  validate  our  analysis 
in  section  6. 

Again  for  simplicity  we  only  deal  with  the  mobile  object 
counts  in  this  example  as  the  still  object  counts  are  insensi¬ 
tive  to  the  movement  of  mobile  users.  Figure  4(a)  displays  the 
cloaking  area  constructed  by  the  Quad  Grid  algorithm  (at  the 
lowest  level  of  HGI)  for  the  example  given  in  Figure  3.  We  ob¬ 
serve  that  the  minimal  cloaking  area  chosen  is  unnecessarily 


larger  than  required  even  though  the  achieved  anonymity  level 
(k’=33)  is  well  above  the  required  anonymity  level  of  k=20. 
Figure  4(b)  displays  a  couple  of  scenarios  where  the  cloaking 
area  can  be  constructed  using  fewer  number  of  base  level  cells 
while  still  meeting  the  required  anonymity  level.  There  are  a 
number  of  weaknesses  that  prevent  the  Quad  Grid  approach 
from  finding  the  smallest  possible  cloaking  area  within  the 
user  specified  privacy  and  quality  requirements. 

1 .  Rapid  and  constrained  area  expansion:  At  each  itera¬ 
tion,  the  Quad  Grid  algorithm  expands  the  cloaking  area 
to  twice  its  current  size  by  selecting  a  horizontal  or  ver¬ 
tical  neighboring  cell.  In  case  that  the  iteration  involves 
moving  to  a  higher  level  of  the  HGI  (line  18  in  algo¬ 
rithm  1),  the  area  expands  to  four  times  of  its  size  at  the 
beginning  of  the  iteration.  At  the  higher  levels  of  a  HGI, 
this  leads  to  a  rapid  expansion  in  the  candidate  cloak¬ 
ing  area,  restricting  the  ability  of  the  algorithm  to  find 
the  minimal  cloaking  box  that  meets  the  location  P3P  re¬ 
quirements. 

2.  Unnecessarily  High  fc-Anonymity:  From  the  above  ex¬ 
ample  we  observe  that  the  Quad  Grid  cloaking  algorithm 
achieves  much  higher  anonymity  levels  than  the  desired 
levels.  Unnecessarily  large  anonymity  levels  have  an  as¬ 
sociated  cost  of  a  larger  cloaking  area  which  hurts  the 
QoS  provided  to  the  user. 

3.  Anonymization  Success  Rate:  An  important  goal  of  the 
location  cloaking  algorithm  is  to  anonymize  messages  at 
a  higher  success  rate  while  meeting  the  user  specified  pri¬ 
vacy  preference  profile.  The  Quad  Grid  algorithm,  due 
to  rapid  expansion  of  the  cloaked  areas,  often  overshoots 
the  maximum  spatial  resolution,  thus  resulting  in  higher 
percentage  of  messages  being  dropped  due  to  its  inability 
to  find  a  satisfactory  perturbation  (see  Section  6  for  ex¬ 
perimental  results).  This  severely  hurts  the  performance 
of  the  algorithm. 

4.  Pre-defined  Cloaking  Path:  The  Quad  Grid  algorithm 
utilizes  a  fixed  hierarchy  of  the  HGI  data  structure  to 
perform  cell  expansion  in  searching  for  minimal  spatial 
cloaking  box,  thus  limiting  its  ability  to  explore  all  op¬ 
tions  for  cell-based  expansion.  As  a  result,  the  algorithm 
can  only  select  the  cloaking  areas  through  a  pre-defined 
quad  grid  cell  composition  structure  along  the  hierarchy 
of  HGI. 

To  overcome  the  problems  with  Quad  Grid  cloaking,  we  need 
to  relax  the  rigid  hierarchical  quad  grid  cell  expansion  process 
implied  by  the  construction  structure  of  HGI.  This  motivates 
us  to  look  into  the  dynamic  cell  expansion  approach.  In  the 
rest  of  the  paper  we  focus  on  the  bottom-up  and  the  top-down 
grid  cloaking  algorithms.  Unlike  the  Quad  Grid  cloaking  ap¬ 
proach,  the  dynamic  grid  cloaking  approach  is  able  to  pro¬ 
duce  close  to  optimal  cloaking  areas.  The  algorithm  accepts 
the  same  input  arguments  as  the  Quad  Grid  approach  (recall 
Section  3.2). 


3.4  Dynamic  Bottom-Up  Grid  Cloaking 

The  Bottom-Up  approach  to  dynamic  cloaking  starts  with 
the  base  cell  containing  the  object  from  which  the  cloaking 
request  has  originated.  A  sketch  of  the  algorithm  is  given  in 
Algorithm  2.  The  algorithm  first  determines  if  the  current  cell 
{cid)  has  sufficient  mobile  object  count  and  still  object  count 
to  satisfy  the  privacy  requirements  and  verifies  the  validity  of 
the  cloaking  box  in  terms  of  the  user  specified  maximum  spa¬ 
tial  resolution  levels  (lines  2-6). 

Algorithm  2  Bottom-Up  Dynamic  Grid  Cloaking 
Input:  {objectid,  requestid,  x,  y,  t},  {dx,dy,dt},  {k,l} 
Output:  MinimalSpatialCloakingBox 
1:  cid  < —  GridIndexSearch(objectid,x,y) 

2:  FUNCTION  BOTTOM  UP  GRID  CLOAKING(fc,  /, 

3:  (x,y),(dx,dv),cid) 

4:  if  (cid.MN  >  k)  &&  (cid.SN  >  l)  then 
5:  CheckCloakingBoxValidity(x,  y ,  dx,dy) 

6:  return  cid; 

7:  end  if 

8:  while  (selectedCells.MN  <  k  ||  selectedCells.SN  <  ()do 
9:  Rown  4 —  Row  above  uppermost  selected  row. 

10:  Rows  4 —  R°w  below  lowermost  selected  row. 

11:  CoIe  4 —  Right  column  of  rightmost  selected  column. 

12:  Colw  4 —  Left  column  of  leftmost  selected  column. 

13:  CheckRowSpatialValidity{x,  dx,  Rown); 

14:  Check  Row  SpatialValidity(x,  dXl  Rows)', 

15:  CheckColSpatialValidity(y ,  dy ,  CoIe); 

16:  CheckColSpatialValidity(y ,  dy ,  Colw)', 

17:  MNn  =  selectedCells.MN  +  Rown-MN; 

18:  SNn  =  selectedCells.SN  +  Rown-SN; 

19:  MNs  =  selectedCells.MN  +  Rows-MN', 

20:  SNs  =  selectedC  ells  .S  N  +  Rows-SN', 

21:  MNe  =  selectedCells.MN  +  CoIe-MN', 

22:  SNe  =  selectedCells.SN  +  CoIe-SN; 

23:  MNw  =  selectedCells.MN  +  Colw -MN; 

24:  SNw  =  selectedCells.SN  +  Colw -SN; 

25:  odd  iteration: 

26:  selectRowOrColumnToAddfMA^jv,  MNs,  MNe, 

27:  MNw,  SNn,  SNs,  SNe,  SNw)', 

28:  even  iteration: 

29:  if  (addedRowInPreviousIteration)  then 

30:  selectColumntoAdd(MArs,  MNw,  SNe,  SNw)', 

31:  else 

32:  selectRowtoAdd(MIVjv,  MNs,  SNn,  SNs)', 

33:  endif 

34:  end  while 

35:  MinimalCloakingBox  < —  CloakingArea(selectedRows, 
selectedColumns ) 

36:  return  MinimalCloakingBox; 

In  case  that  the  current  cell  does  not  meet  the  user’s  pri¬ 
vacy  requirements,  the  algorithm  expands  the  current  cell  (i.e., 
the  candidate  cloaking  box)  to  any  of  the  four  neighboring 
cells.  This  is  in  contrast  to  the  Guad  Grid  approach  that  re¬ 
strict  the  expansion  to  only  those  neighboring  cells  with  the 
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Fig.  5:  Bottom-Up  Dynamic  Hierarchical  Grid  Cloaking  Example 

same  parent  in  HGI.  The  decision  on  which  of  the  four  cells 
to  choose  first  is  based  on  the  highest  object  count  in  the  can¬ 
didate  cells.  The  cells  composing  the  cloaking  box  are  identi¬ 
fied  by  their  rows  and  columns  in  the  grid  index.  The  selected 
rows  and  selected  columns  are  maintained  by  the  algorithm 
(in  an  incremental  order)  and  can  be  used  to  infer  the  selected 
cells  for  forming  the  final  cloaking  area.  The  current  candi¬ 
date  cloaking  box  may  be  expanded  further  in  any  direction 
{North,  South,  East  or  West)  by  adding  the  row  above  the  up¬ 
permost  selected  row  (or  below  the  lowermost  selected  row) 
or  the  column  to  the  right  of  the  rightmost  selected  column  (or 
to  the  left  of  the  leftmost  selected  column),  thus  dynamically 
building  the  cell-based  cloaking  box  by  adding  suitable  rows 
or  columns.  The  rows  denoted  by  Rown,  Rows  °r  columns 
denoted  by  CoIe,CoIw  (lines  9-12)  are  used  to  calculate 
the  cell  count  after  addition  (lines  17-24).  The  validity  of 
the  rows  or  columns  to  meet  the  maximum  spatial  resolution 
requirements  is  checked  before  proceeding  with  the  addition 
(lines  11-14).  The  algorithm  selects  the  row  or  column  which 
leads  to  the  maximum  object  count  after  addition.  For  every 
odd  iteration,  the  algorithm  determines  whether  to  add  a  row 
or  column  as  the  cloaking  area  may  be  expanded  in  any  of 
the  four  directions  (lines  25-27).  For  even  iterations,  the  al¬ 
gorithm  expands  the  cloaking  area,  depending  on  whether  a 
row  or  column  was  added  in  the  previous  iteration,  in  order 
to  ensure  that  no  skew  is  introduced  in  any  direction  (lines 
28-33).  For  example,  if  the  algorithm  added  a  row  during  the 
previous  iteration,  the  current  iteration  would  involve  addition 
of  either  the  column  CoIe  or  Colw-  The  steps  (lines  8-34) 
are  recursively  repeated  as  long  as  the  total  object  count  of  all 
cells  in  the  selected  rows  and  columns  is  less  than  the  required 
k-anonymity  and  (-diversity  requirements.  Upon  meeting  the 
privacy  and  quality  requirements,  the  algorithm  uses  the  se¬ 
lected  rows  and  columns  to  determine  the  selected  cells  and 
composes  the  minimal  cloaking  area  in  terms  of  the  selected 
cells.  It  returns  the  final  minimal  spatial  cloaking  area  and 
terminates. 

The  working  of  the  Bottom-Up  dynamic  approach  is  ex¬ 
plained  through  an  example  in  Figure  5.  For  simplicity  we 
only  use  the  mobile  object  count  in  this  example.  The  cloak¬ 
ing  request  originates  from  the  shaded  cell  with  an  object 
count  of  six.  As  this  is  insufficient  to  meet  the  fc-anonymity 
requirement,  the  algorithm  starts  expanding  the  selected  cell. 
Note  that  the  algorithm  works  with  a  flat  grid  index  (or  the 
lowest  level  of  the  HGI  data  structure).  Thus  no  additional  in- 


formation  related  to  higher  levels  of  the  HGI  hierarchy  needs 
to  be  maintained.  The  current  cell  is  located  at  the  second 
row  and  the  second  column  in  the  grid,  which  are  marked  as 
select edRows  and  selectedCols  by  the  algorithm  respectively. 
All  neighboring  cells  of  the  shaded  cell  are  considered  and 
the  first  row  to  the  north  which  increments  the  object  count 
to  12  is  chosen  as  the  first  cell  to  expand  and  added  into  the 
selectedRows.  As  the  total  object  count  of  12  in  this  candidate 
cloaking  box  does  not  meet  the  k-anonymity  requirement  of 
k  =  20,  the  algorithm  starts  the  next  iteration.  In  this  iteration, 
we  first  consider  the  column  to  the  left  ( Colw ),  which  is  not 
sufficient  to  meet  the  privacy  requirements.  Then  we  consider 
the  addition  of  the  right  column  (third  column  in  the  grid) 
which  provides  a  cloaking  area  with  the  object  count  of  k’=21, 
which  is  sufficient  to  meet  the  anonymity  requirement.  Thus 
the  algorithm  terminates  and  returns  selectedRows  =  {1,2} 
and  selectedCols  =  {2,  3}.  We  can  see  the  area  provided 
by  the  dynamic  bottom-up  grid  cloaking  approach  is  much 
smaller  than  the  one  provided  by  the  Quad  Grid  approach  (in 
Figure  3),  even  though  both  meet  the  privacy  requirements. 

3.5  Dynamic  Top-Down  Grid  Cloaking 

Dynamic  cloaking  may  also  proceed  by  starting  with  the 
largest  possible  cloaking  area  as  permitted  by  the  maximum 
spatial  resolution.  We  call  this  approach  the  Top-Down  dy¬ 
namic  gird  cloaking  and  Algorithm  3  gives  the  algorithmic 
sketch.  First,  the  top-down  algorithm  calculates  the  cells 
needed  to  compose  the  largest  cell-based  candidate  cloaking 
box,  which  meets  the  maximum  spatial  tolerance  requirement 
(line  4).  The  cloaking  area  is  expressed  as  a  set  of  select¬ 
edRows  and  selectedCols,  as  in  the  bottom-up  approach.  If 
the  largest  possible  candidate  cloaking  box  fails  to  meet  the 
required  privacy  requirements,  the  message  cannot  be  cloaked 
using  the  user-defined  privacy  and  quality  metrics  and  the  al¬ 
gorithm  terminates  (lines  5-7).  The  algorithm  proceeds  be¬ 
yond  this  step  only  if  it  is  possible  to  cloak  the  message.  Oth¬ 
erwise,  the  top-down  approach  repeatedly  removes  appropri¬ 
ate  rows  or  columns  from  the  maximum  cloaking  area  gener¬ 
ated  in  line  4.  Each  odd  iteration  selects  the  outermost  rows  or 
columns  (lines  9-12)  with  minimum  object  counts,  so  that  the 
selected  cloaking  area  (after  removing  a  row  or  column)  has 
the  maximum  possible  object  count  (lines  13-33).  If  any  of 
the  calculated  values  are  higher  than  the  k-anonymity  require¬ 
ment,  rows  or  columns  may  be  removed  appropriately,  pro¬ 
vided  that  the  row  or  column  containing  the  object  which  ini¬ 
tiated  the  cloaking  request  is  not  removed  (line  21-24).  Even 
iterations  may  remove  rows  or  columns  dependent  on  the  steps 
performed  by  the  previous  iteration  (lines  25-30).  The  algo¬ 
rithm  terminates  if  none  of  the  object  counts  are  higher  than 
the  user  specified  k  value  and  l  value  (lines  31-33).  It  returns 
the  final  cloaked  spatial  area  defined  by  the  selectedRows  and 
selectedCols.  The  top-down  approach  speeds  up  the  cloak¬ 
ing  in  certain  scenarios  when  compared  to  the  bottom-up  ap¬ 
proach. 

The  example  in  Figure  6  illustrates  the  Top-Down  approach 
with  the  same  starting  conditions  as  in  the  previous  exam- 


Algorithm  3  Top-Down  Dynamic  Grid  Cloaking 

Input:  { objectid ,  requested,  x,  y,  t},  {dx,  dy,  dt},  {k,  1} 
Output:  MinimalSpatialCloakingBox 
1:  cid  * —  GridIndexSearch{objectid,x,y ) 

2:  FUNCTION  TOP_DOWN_GRID_CLOAKING(fc,  l, 

3:  (x,y),(dx,dy),cid) 

4:  selectedCells  =  M axC looking Area{x,  y,  dx,  dy}; 

5:  if  (selectedCells. MN  <  k)  ||  (selectedCells. SN  <  1)  then 
6:  break; 

7:  end  if 

8:  while  (selectedCells. MN  >  k  &&  selectedCells. SN  >  1) 

do 

9:  Rown  < —  Uppermost  selected  row. 

10:  Rows  < —  Lowermost  selected  row. 

11:  CoIe  « —  Rightmost  selected  column. 

12:  Colw  ■* —  Leftmost  selected  column. 

13:  MNn  =  selectedCells.MN  —  Rown  .MN; 

14:  SNn  =  selectedCells. SN  —  Rown-SN\ 

15:  MNs  =  selectedCells.MN  —  Rows-MN; 

16:  SNs  =  selectedCells. SN  —  Rows-SN', 

17:  MNe  =  selectedCells.MN  -  ColE-MN; 

18:  SNe  =  selectedC  ells  .S  N  —  CoIe-SN\ 

19:  MNw  =  selectedC  ells.  M  N  —  Colw-MN; 

20:  SNw  =  selectedCells. SN  —  Colw -SN; 

21:  if  ((. MNn  >  k  &&  SNn  >  l)  j|  (MNs  >  k  && 

SNg  >  l)  ||  (MNe  cl  k  &&  SNe  >  l)  ||  (MNw  ^  k 
&&  SNW  >  0) then 

22:  odd  iteration: 

23:  selectRowOrColumnToRemove(MWjv,  MNs, 

24:  M Ne,  M Nw ,  SNj\r ,  SNs ,  SNe,  SNw)', 

25:  even  iteration: 

26:  if  (removedRowInPreviousIteration)  then 

27:  selectColtoRemo vc(MNe,  MNw,  SNe,  SNw)', 

28:  else 

29:  selectRowtoRemove(MAr/v,  MNs,  SN n,  SNs)', 

30:  endif 

31:  else 

32:  break; 

33:  end  if 

34:  end  while 

35:  MinimalCloaking  Box  < —  CloakingArea(selectedRows, 
selectedColumns) 

36:  return  MinimalCloaking  Box; 

pies.  The  shaded  area  in  the  leftmost  figure  displays  the  ini¬ 
tial  maximum  possible  cloaking  area.  The  end  result  with  the 
top-down  approach  is  similar  to  the  result  obtained  using  the 
bottom- up  approach  in  this  example. 

4  Possible  Enhancements 

In  this  section  we  discuss  two  enhancements  for  the  Pri- 
VACyGrid  spatial  cloaking  algorithm:  the  hybrid  cloaking 
approach  and  the  incorporation  of  temporal  tolerance  into  the 
spatial  cloaking  algorithms. 
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Fig.  6:  Top-Down  Dynamic  Hierarchical  Grid  Cloaking  Example 

4.1  Hybrid  Cloaking 


The  hybrid  cloaking  algorithm  combines  the  bottom-up 
and  top-down  approaches  to  improve  the  performance  of  find¬ 
ing  minimal  cloaking  region  for  a  location  service  request. 
There  are  several  ways  that  one  can  combine  the  top-down 
and  bottom  up  approach.  For  example,  making  a  choice  upon 
receiving  a  location  anonymization  request.  In  this  case,  the 
main  challenge  is  how  to  appropriately  decide  whether  to  pro¬ 
ceed  in  a  bottom-up  or  a  top-down  manner  upon  receiving 
a  message  cloaking  request.  When  a  request  has  lower  k- 
anonymity  level  and  higher  maximum  spatial  resolution  value, 
the  hybrid  algorithm  proceeds  in  a  bottom-up  manner.  How¬ 
ever,  for  the  request  with  a  higher  k-anonymity  value  and  a 
low  maximum  spatial  resolution  value,  the  top-down  approach 
is  chosen  as  it  works  faster  in  finding  the  minimal  cloaking 
box.  We  provide  a  brief  analysis  on  the  factors  for  making 
such  decision  when  we  assume  a  relatively  stable  state  of  cells 
being  considered  and  a  uniform  object  distribution. 

Consider  the  map  with  a  grid  comprising  of  cells  of  size 
ax/3  superimposed  on  top  of  it.  We  assume  that  each  cell  has 
n  objects  on  average  as  this  analysis  assumes  a  uniform  object 
distribution.  Our  dynamic  approaches  advocate  addition  (or 
removal)  of  rows  and  columns  alternately.  We  assume  that  the 
final  cloaking  area  is  constructed  by  adding  an  equal  number 
of  rows  and  columns.  Given  an  anonymization  request  with 
anonymity  level  k,  we  conclude  that. 


where  r2  is  the  average  number  of  cells  estimated  to  meet 
our  anonymity  requirements,  consequently  we  need  to  add  r 
rows  and  an  equal  number  of  columns  to  form  the  required 
cloaking  area.  We  assume  that  the  maximum  cloaking  area  as 
defined  by  the  maximum  spatial  resoluton  values  consists  of 
a  rows  and  b  columns  which  can  be  approximately  quantified 
as  below. 


a  =  2  x  L^J  +  1  (2) 

b  =  2  x  L— J  +  1  (3) 

a 

The  bottom-up  approach  starts  with  a  singe  cell  and  may  ex¬ 
pand  to  include  a  x  b  cells,  requiring  addition  of  a  —  1  rows 
and  6—1  columns.  However,  on  an  average  it  is  expected  to 


add  only  r  —  1  rows  and  r  —  1  columns  where  r  is  as  defined  in 
equation  1  above.  The  top  down  approach  starts  with  a  rows 
and  b  columns  and  it  is  expected  to  remove  a  —  (r  —  1)  rows 
and  6  —  (r  —  1)  columns  on  an  average.  Hence  the  expected 
number  of  iterations  performed  by  the  bottom-up  approach  is, 

ibu  =  2x{\/--l}  (4) 

V  n 

Similarly  for  the  top  down  approach  the  expected  number  of 
iterations  is, 

itd  =  a  -  {\fk-  -  1}  +  6  -  {\f^  -  1}  (5) 

V  n  V  n 

The  iterations  performed  by  the  top-down  approach,  on  aver¬ 
age,  require  more  computation  when  compared  with  the  iter¬ 
ations  performed  by  the  bottom-up  approach  as  the  top-down 
iterations  are  acting  on  a  much  larger  number  of  rows  and 
columns.  Let  the  average  cost  of  iterations  performed  by  the 
top-down  approach  be  7  times  the  average  cost  of  iterations 
performed  by  the  bottom-up  approach.  From  the  above  equa¬ 
tions  we  can  determine  the  cost  of  proceeding  in  a  bottom-up 
manner  as, 

Tbu  =  2  x  {J-  -  1}  x  Costbu  (6) 

V  n 

where  Costbu  is  the  average  cost  of  a  single  bottom-up  it¬ 
eration.  Similarly,  if  the  cost  of  one  top-down  iteration  is 

Costtd  =  7  x  Costbu, 

Ttd  =  {a  -  {a/—  - 1}  +  b  -  {  J-  -  1}}  x  7  x  Costbu  (7) 
V  n  V  n 

For  any  anonymization  request,  the  hybrid  cloaking  algorithm 
proceeds  in  a  top-down  manner  if  Ttd  <  Tbu,  otherwise,  it 
proceeds  in  a  bottom-up  manner. 

4.2  Integrating  Spatial  Cloaking  with  Tem¬ 
poral  Cloaking 

All  cloaking  algorithms  we  have  discussed  so  far  start  com¬ 
posing  the  minimal  spatial  cloaking  box  that  meets  both  pri¬ 
vacy  and  QoS  requirements  immediately  upon  the  arrival  of 
a  new  request  message,  regardless  whether  the  top-down  or 
bottom-up  cell  composition  is  used.  Recall  that  some  mes¬ 
sages  may  have  to  be  dropped  during  spatial  cloaking  due  to 
the  fact  that  the  algorithm  cannot  find  the  cloaking  area  that 
meets  both  privacy  requirement  and  the  maximum  spatial  res¬ 
olution  requirement  specified  by  the  mobile  user.  Instead  of 
dropping  the  message,  we  can  improve  the  situation  by  invok¬ 
ing  the  temporal  cloaking  to  introduce  some  delay  in  terms  of 
when  to  start  the  spatial  cloaking  process  within  the  maximum 
temporal  resolution  constraint.  For  example,  if  we  delay  the 
start  of  spatial  cloaking  for  7  time  units  (0  <  7  <  df),  more 
mobile  users  may  issue  requests  over  the  same  area,  and  lead 
to  higher  probability  for  more  messages  to  be  perturbed,  pro¬ 
viding  higher  anonymization  success  rate.  The  critical  chal¬ 
lenge  is  how  to  set  the  appropriate  7  value.  If  7  =  0  the  spatio- 
temporal  cloaking  is  reduced  to  immediate  spatial  cloaking.  If 


Cloaked  Query  Q1 


(a)  Actual  Query  (b)  Anonymized  Query 

Fig.  7:  Anonymous  Query  Processing 

7  =  dt,  the  cloaking  will  be  performed  right  before  the  expira¬ 
tion  of  the  message  (i.e.,  after  a  maximum  allowed  delay  of  dt 
time  units.  However  this  extreme  setting  will  result  in  higher 
latency  which  in  many  cases  are  unnecessary.  Given  a  request 
message  and  its  current  cell  cid,  let  Crnax  be  the  neighboring 
cell  of  cid  with  the  highest  object  count.  In  PrivacyGrid, 
we  determine  the  timing  for  starting  the  deferred  cloaking  pro¬ 
cess  based  on  a  number  of  parameters.  Concretely,  we  per¬ 
form  the  spatial  cloaking  for  a  new  message  if  the  total  object 
count  of  the  current  cell  cid  and  the  neighboring  cell  Cmax 
is  larger  than  or  equal  to  a  system  defined  fraction  of  k,  say 
6,  namely  MN(cid )  +  MN(Cmax)  >  6  x  k.  0  <  1  is  a 
system  parameter  that  adjusts  the  amount  of  anonymization 
messages  to  be  deferred.  Smaller  9  values  push  more  mes¬ 
sages  to  be  processed  immediately  upon  arrival.  We  can  set 
9  at  initialization  time  based  on  experimental  studies  or  have 
it  adaptively  tuned  during  runtime  by  observing  the  rate  of 
successful  anonymizations  with  different  9  values.  A  similar 
threshold  value  may  be  maintained  for  the  /-diversity  specifi¬ 
cations  too. 

5  Processing  Perturbed  Location  Queries 

We  briefly  describe  the  anonymous  query  processing 
mechanisms  required  at  the  LBS  server  in  order  to  aid  pro¬ 
cessing  of  queries  associated  with  cloaked  spatial  regions  in¬ 
stead  of  spatial  points.  Figure  7  displays  an  object  o\  which 
requests  for  all  static  objects  (e.g.  gas  stations)  within  the  dis¬ 
tance  r  from  its  curent  position.  Figure  7(a)  displays  the  Min¬ 
imum  Bounding  Rectangle  (MBR)  which  forms  the  result  set 
to  be  explored  for  the  actual  query.  The  cloaked  query  region 
identified  by  the  location  anonymization  server  is  as  shown 
in  Figure  7(b).  The  actual  object  0\  which  makes  the  query 
request  may  be  present  anywhere  within  the  cloaked  query  re¬ 
gion,  even  at  the  any  of  the  corner  points  of  the  region.  Thus 
the  query  processor  needs  to  explore  the  region  at  a  maximum 
distance  r  from  each  corner  point  to  ensure  that  the  proba¬ 
bility  of  relevant  results  being  excluded  from  the  evaluation 
is  zero.  The  shaded  area  in  the  figure  displays  the  query  re¬ 
sult  evaluated  using  the  cloaked  query  region.  As  is  clearly 
evident  from  the  figure,  the  query  result  will  include  all  rele¬ 
vant  results  for  the  original  query  Qi.  This  clearly  illustrates 
the  need  for  finding  smaller  cloaking  regions  as  unnecessar¬ 


ily  large  cloaking  regions  will  lead  to  larger  result  sets.  It  is 
important  to  note  that  no  other  optimizations  of  any  kind  dur¬ 
ing  query  processing  can  guarantee  all  relevant  results  will  be 
included  in  the  returned  candidate  result  set. 

Theorem  1.  The  MBR  (as  evaluated  in  Figure  7(b))  for  the 
cloaked  query  Q\  includes  all  relevant  results  for  the  actual 
query  Q\. 

Proof  Skipped. 

6  Experimental  Evaluation 

We  divide  the  experimental  evaluation  of  PrivacyGrid 
into  two  components:  the  effectiveness  of  our  cloaking  algo¬ 
rithms  in  terms  of  privacy  and  quality  requirements,  and  their 
performance  in  terms  of  time  complexity  and  scalability.  Be¬ 
fore  reporting  our  experimental  results,  we  first  describe  our 
evaluation  metrics  and  the  experimental  setup,  including  the 
road-network  based  mobile  object  simulator  used  in  the  ex¬ 
periments. 

6.1  Evaluation  Metrics 

We  define  the  following  metrics  to  evaluate  the  effective¬ 
ness  and  efficiency  of  PrivacyGrid  location  cloaking  algo¬ 
rithms. 

Anonymization  Success  Rate:  The  anonymization  success 
rate  is  also  referred  to  as  the  anonymization  hit  rate.  The 
success  rate  of  a  cloaking  algorithm  measures  its  ability 
to  cloak  messages  according  to  the  privacy  requirements  — 
the  k-anonymity  value  and  the  /-divisity  value  —  and  the 
QoS  requirement  —  the  maximum  spatial  resolution  value 
and  the  maximum  temporal  resolution  value.  We  define 
the  anonymization  success  rate  by  measuring  the  fraction  of 
messages  cloaked  successfully  by  an  algorithm  among  all 
anonymization  requests.  This  is  the  most  important  measure 
for  evaluating  the  performance  of  the  cloaking  algorithms.  A 
primary  goal  of  the  cloaking  algorithm  is  to  maximize  the 
number  of  messages  perturbed  successfully  according  to  their 
privacy  and  QoS  requirements.  Hence,  the  higher  success  rate 
a  location  cloaking  algorithm  has,  the  more  effective  it  is. 
Relative  Anonymity  Level  (RAL):  This  metric  is  used 
to  measure  the  achieved  anonymity  level  for  successfully 
cloaked  messages  by  the  cloaking  algorithm,  normalized  by 
the  specified  level  of  anonymity  ( k  value)  and  the  specified 
level  of  diversity  ( l  value)  in  the  mobile  user’s  location  pri¬ 
vacy  preference  profile. 

k'  l' 

RAL  =  -r-  x  T(k'  >  k.  I'  >  l )  (8) 

k  l 

In  PrivacyGrid,  the  location  cloaking  algorithms  aim  at  ob¬ 
taining  higher  anonymity  for  the  same  cloaking  area.  How¬ 
ever,  excessive  anonymity  achieved  at  the  cost  of  cloaking  the 
location  to  a  larger  region  hurts  QoS  during  query  process¬ 
ing.  Hence,  the  lower  the  relative  anonymity  level  (RAL),  the 
better  the  performance  of  the  algorithm. 

Relative  Spatial  Resolution  (RSR):  This  metric  measures 
the  ability  of  the  spatial  cloaking  algorithm  to  provide  the 


Fig.  8:  Simulator  for  Experimental  Setup 

smallest  cloaking  area  sufficient  to  meet  the  anonymity  re¬ 
quirements.  We  calculate  the  relative  spatial  resolution  by 
using  the  minimum  spatial  cloaking  area,  as  calculated  by  the 
cloaking  algorithm,  normalized  by  the  maximum  allowed  spa¬ 
tial  cloaking  area  defined  by  the  specified  maximum  spatial 
resolution  {dXldy}. 


RSR  = 


I  2  x  dx  x  2  x  dv 
Area(selectedC  ells) 


(9) 


The  relative  spatial  resolution  has  to  be  greater  than  one  in 
all  cases  for  successfully  anonymized  messages.  Higher  rela¬ 
tive  spatial  resolution  measure  implies  that  the  cloaked  spatial 
region  is  smaller  and  the  cloaking  algorithm  is  more  effective. 
Message  Anonymization  Time:  This  metric  measures  the 
run-time  performance  of  the  cloaking  algorithm  in  terms  of 
time  complexity.  Efficient  cloaking  implies  that  the  cloaking 
algorithm  spends  less  time  but  perturbs  more  messages. 

6.2  Experimental  Setup 

We  extend  the  simulator  from  [14]  to  evaluate  the  effec¬ 
tiveness  and  performance  of  PrivacyGrid  cloaking  algo¬ 
rithms.  The  simulator  generates  a  trace  of  cars  moving  on 
roads,  and  generates  requests  based  on  the  position  informa¬ 
tion  from  the  trace.  The  trace  generated  by  the  simulator  sim¬ 
ulates  a  real-world  road  network  obtained  from  maps  avail¬ 
able  at  the  National  Mapping  Division  of  the  USGS  [7]  in 
Spatial  Data  Transfer  Format  (SDTS)  [6].  A  transport  layer  of 
1:24K  Digital  Line  Graphs  (DLGs)  is  used  to  extract  the  road- 
based  network.  The  data  is  converted  to  the  Scalable  Vector 
Graphic  (SVG)  [5]  format  using  the  GlobalMapper  tool  [2]. 
The  simulator  extracts  the  road  network  based  on  three  types 
of  roads  -  expressway,  arterial  and  collector  roads.  Traffic 
volume  data  in  [16]  is  used  to  estimate  the  number  of  cars  for 
different  road  classes.  Cars  are  randomly  placed  on  the  road 
network  according  to  the  traffic  densities  and  are  moving  on 
the  roads.  At  intersections,  they  move  in  one  direction  or  the 
other.  The  simulator  attempts  to  keep  the  number  of  cars  on 
each  type  of  roads  constant  with  time.  Our  experimentation 


Road  type 

Expressway 

Arterial 

Collector 

Mean  of  car  speeds 
(km/h) 

90 

60 

50 

Std.  dev.  of  car  speeds 
(km/h) 

20 

15 

10 

Traffic  volume  data 
(cars/h) 

2916.6 

916.6 

250 

Table  1 :  Motion  Parameters 


uses  a  map  from  Chamblee  region  of  Georgia  (Figure  8)  to 
generate  the  trace  used  in  this  paper,  which  covers  a  region 
of  approximately  168  km2.  Most  of  our  experiments  use  the 
trace  with  a  duration  of  two  hours.  We  simulate  the  movement 
of  a  set  of  10,000  cars  on  the  road  network  for  Chamblee.  Ta¬ 
ble  1  lists  mean  speeds,  standard  derivation  and  traffic  volume 
values  for  each  road  type.  Each  car  generates  a  set  of  mes¬ 
sages  during  the  simulation.  By  default,  each  message  spec¬ 
ifies  an  anonymity  level  k  from  the  range  of  [1,150]  using 
a  zipf  parameter  of  0.6  with  higher  k  being  the  most  popu¬ 
lar.  The  maximum  spatial  and  temporal  resolution  values  of 
the  message  are  selected  independently  using  normal  distri¬ 
butions  with  600m  as  the  default  mean  spatial  resolution  and 
30m2  as  the  variance  in  maximum  spatial  resolution.  The  de¬ 
fault  mean  temporal  resolution  is  set  to  be  15s  with  12s2  vari¬ 
ance  in  temporal  resolution.  Though  all  parameters  take  their 
default  values  if  not  stated  otherwise,  the  settings  of  many  pa¬ 
rameters  will  be  changed  in  different  experiments  to  show  the 
impact  of  these  parameters  on  the  effectiveness  and  efficiency 
of  the  algorithms. 

6.3  Experimental  Results 

Our  experimental  evaluation  of  the  PrivacyGrid  algo¬ 
rithms  consists  of  three  parts.  First,  we  evaluate  the  effective¬ 
ness  of  the  location  anonymization  algorithms  by  measuring 
anonymization  hit  rate  (success  rate),  relative  anonymity  level 
obtained,  average  cloaking  time  and  relative  spatial  resolu¬ 
tion  and  observe  how  these  parameters  behave  when  we  vary 
the  settings  of  a  number  of  parameters,  such  as  grid  cell  size, 
the  user-specified  anonymity  level  k,  and  the  user-specified 
maximum  spatial  resolution  {dx,dy}.  Then  we  evaluate  the 
scalability  of  the  algorithms  in  terms  of  cloaking  time  and 
update  cost  by  varying  the  number  of  mobile  users.  Finally 
we  evaluate  the  effectiveness  of  combining  temporal  cloaking 
with  spatial  cloaking  by  measuring  the  anonymization  suc¬ 
cess  rate  (fraction  of  messages  anonymized)  when  varying 
both  the  maximum  temporal  resolution  values  and  the  max¬ 
imum  spatial  resolution  values.  Our  results  show  that  the 
PrivacyGird  dynamic  grid  cloaking  algorithms  are  fast,  ef¬ 
fective,  scalable  and  outperform  all  existing  location  cloaking 
approaches  in  terms  of  both  anonymization  success  rate  and 
cloaking  time  in  the  presence  of  larger  range  of  k  values. 

6.3.1  Varying  Size  of  Grid  Cells 

This  set  of  experiments  aims  at  measuring  cloaking  time, 
anonymization  hit  rate  (success  rate),  relative  anonymity  level 
and  relative  spatial  resolution  obtained  by  using  different  set¬ 
tings  of  grid  cell  size.  Figure  9  shows  the  results  measured 
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Fig.  10:  Results  with  Varying  Anonymity  Levels 


(a)  Message  Anonymization  Time 


Cell  Size 

(meters) 

Hit  Rate 

RAL 

RSR 

Bottom-Up 

Approach 

24X28 

91.5% 

1.002 

3.795 

48X  56 

91.4% 

1.0025 

3.773 

Top-Down 

Approach 

24X28 

91.5% 

1.003 

3.795 

48X  56 

91.4% 

1.01 

3.715 

Hybrid 

Approach 

24X28 

91.5% 

1.002 

3.831 

48X  56 

91.4% 

1.0021 

3.775 

Quad  Grid 
Approach 

24X28 

42.8% 

1.149 

2.722 

48X  56 

42.7% 

1.153 

2.685 

(b)  Other  Metrics 


Fig.  9:  Results  with  Varying  Size  of  Grid  Cells 

for  four  different  settings  of  grid  cell  size:  [96m  x  112m], 
[48m  x  56m],  [24m  x  28m],  and  [12m  x  14m],  Recall  that 
a  HGI  of  height  /  implies  a  lowest  level  grid  comprising  of 
2lX2l  cells.  Thus  the  four  different  grid  cell  sizes  are  equiva¬ 
lent  to  four  different  settings  of  the  lowest  level  grid  size,  rang¬ 
ing  from  128  x  128  cells  to  1024x1024  cells.  The  user-defined 
anonymity  levels  ( k  value)  for  this  set  of  experiments  are  cho¬ 
sen  in  the  range  [10  -  50]  with  a  Zipf  distribution  using  pa¬ 
rameter  0.6,  indicating  that  messages  with  higher  anonymity 
levels  are  more  popular. 

Figure  9(a)  shows  that  the  quad  grid  cloaking  algorithm 
is  fast  in  terms  of  cloaking  time  and  the  cloaking  time  does 
not  increase  significantly  with  the  decrease  in  the  size  of  grid 
cells.  However,  both  the  bottom-up  and  top-down  dynamic 
grid  cloaking  algorithms  will  incur  relatively  higher  cloaking 
time  (ms)  with  the  decreasing  sizes  of  grid  cells.  This  is  be¬ 
cause  more  rows  (or  columns)  need  to  be  added  (or  removed) 
to  obtain  the  optimal  cloaking  regions.  Interesting  to  note  is 
that  the  actual  cloaking  time  of  all  dynamic  approaches  is  still 
below  2.5  ms  in  all  cases,  and  such  low  delays  are  hardly  per¬ 
ceivable. 


From  Figure  9(b)  we  observe  two  interesting  results. 
First,  the  anonymization  hit  rate,  the  relative  anonymity  level 
(RAL),  and  the  relative  spatial  resolution  (RSR)  do  not  change 
much  as  we  vary  the  size  of  grid  cells.  Second,  given  a  fixed 
grid  cell  size,  say  [24m  x  28m],  we  see  sharp  differences  when 
comparing  the  Quad  Grid  cloaking  approach  with  the  dynamic 
grid  cloaking  approaches  such  as  bottom-up,  top-down  and 
hybrid.  The  Quad  Grid  cloaking,  though  faster  (recall  Fig¬ 
ure  9(a)),  has  only  43%  of  the  messages  being  anonymized 
successfully,  while  all  the  dynamic  approaches  have  similar 
but  much  higher  rate  of  success  (>  91%).  All  the  dynamic 
grid  cloaking  approaches  give  low  relative  anonymity  levels, 
which  are  close  to  one,  whereas  the  Quad  Grid  approach  has 
about  15%  higher  relative  anonymity  level,  indicating  that  it 


might  be  cloaking  requests  to  unnecessarily  larger  spatial  re¬ 
gions.  This  is  confirmed  by  the  relative  spatial  resolution 
(RSR)  measurement,  which  is  about  40%  higher  for  the  dy¬ 
namic  cloaking  approaches  when  compared  to  the  Quad  Grid 
cloaking  approach. 

6.3.2  Varying  User-defined  Anonymity  Level  k 

This  set  of  experiments  measures  anonymization  hit  rate  (suc¬ 
cess  rate),  relative  anonymity  level,  cloaking  time,  and  relative 
spatial  resolution  when  varying  k,  the  user-defined  anonymity 
level,  from  various  ranges:  [2-10],  [10-50],  [50-100]  and 
[100-150].  Spatial  tolerance  values  for  the  anonymity  ranges 
are  400m,  800m,  1200m  and  1600m  (mean  values  with  5% 
standarad  deviation)  respectively  and  are  chosen  to  be  large 
enough  to  theoretically  allow  cloaking  of  a  large  fraction  of 
the  messages.  The  results  are  as  displayed  in 

Figure  10  shows  that  the  Quad  Grid  approach  is  able  to 
cloak  only  around  60%  of  the  messages  with  anonymity  level 
k  set  in  the  range  of  [2-10]  and  the  success  rate  falls  further 
to  45-50%  with  increasing  k  values.  In  contrast,  the  dynamic 
approaches  cloak  90-99%  of  the  messages  within  user-defined 
maximum  spatial  resolution  values  (Figure  10(a)). 

From  Figure  10(b),  we  see  that  the  Quad  Grid  cloaking  in¬ 
curs  higher  relative  anonymity  level  but  all  dynamic  cloaking 
approaches  have  low  relative  anonymity  levels  (close  to  one), 
indicating  that  the  anonymity  levels  obtained  in  all  perturbed 
messages  ( k '  values)  are  very  close  to  the  user-defined  k. 

Figure  10(c)  shows  the  impact  of  varying  the  user-defined 
anonymity  level  ( k  values)  on  the  cloaking  time  of  all  algo¬ 
rithms.  The  quad  grid  cloaking  algorithm  is  the  fastest  and 
its  cloaking  time  does  not  increase  much  with  the  increase  in 
the  user-defined  k  values.  Though  all  dynamic  cloaking  algo¬ 
rithms  will  incur  relatively  higher  cloaking  time  (ms)  with  the 
increasing  k  values,  the  amount  of  increase  in  cloaking  time 
for  bottom-up  and  hybrid  is  much  slower  when  compared  to 
the  top-down  approach.  It  is  important  to  note  that  the  cloak¬ 
ing  time  for  the  worst  case  (where  the  top  down  approach  is 
used)  is  still  around  4.5  ms  for  k  values  in  [100-150]  (with 
higher  k  being  more  popular),  which  is  hardly  perceivable  by 
most  users. 

Figure  10(d))  displays  the  impact  of  changing  k  values  on 
relative  spatial  resolution  (RSR)  obtained  for  the  perturbed 
messages.  Clearly,  the  dynamic  grid  cloaking  algorithms  have 
considerably  higher  RSR  (28-43%)  than  the  Quad  Grid  ap¬ 
proach  for  all  k  values,  though  RSR  values  decrease  as  the  k 
values  become  larger. 
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Fig.  1 1 :  Results  with  Varying  Spatial  Tolerance 


6.3.3  Varying  Spatial  Tolerance 

This  set  of  experiments  examines  the  performance  of  the  algo¬ 
rithms  by  varying  the  maximum  spatial  resolution  settings  and 
measures  the  anonymization  hit  rate  (success  rate),  relative 
anonymity  level,  cloaking  time,  and  relative  spatial  resolution. 
Messages  are  generated  with  anonymity  level  k  from  the  range 
[10-50]  with  Zipf  distribution  using  parameter  0.6,  favoring 
messages  with  higher  k  values.  We  vary  the  maximum  spatial 
resolution  value  from  500m  to  800m  (mean  values)  with  5% 
standard  deviation  and  examine  the  effect  of  different  settings 
of  maximum  spatial  resolution  on  the  effectiveness  of  both 
the  Quad  Grid  and  the  Dynamic  Grid  cloaking  approaches. 
Figure  1 1  displays  the  results.  The  dynamic  approaches  are 
able  to  cloak  all  messages  which  can  be  theoretically  cloaked 
for  each  maximum  spatial  resolution  value,  whereas  the  Quad 
Grid  approach  fails  to  cloak  a  large  number  of  messages  (40% 
less  as  shown  in  Figure  11(a)).  Figure  11(b)  shows  that  the 
relative  anonymity  levels  for  all  cloaking  algorithms  do  not 
change  much  when  the  user-defined  maximum  spatial  resolu¬ 
tions  change  significantly.  Figure  11(c)  shows  that  only  the 
top-down  cloaking  algorithm  increases  the  cloaking  time  as 
the  maximum  spatial  resolution  values  increase,  while  other 
cloaking  algorithms  are  not  very  insensitive  to  the  changes  in 
the  maximum  spatial  resolution  values.  Finally,  Figure  11(d) 
shows  that  with  the  increase  in  the  maximum  spatial  resolu¬ 
tion  values,  the  relative  spatial  resolution  (RSR)  values  for  all 
cloaking  algorithms  will  increase  proportionally  with  a  close 
to  constant  gap  between  the  Quad  Grid  approach  and  the  dy¬ 
namic  grid  algorithms. 

6.3.4  Scalability 

Finally  we  report  the  set  of  experiments  designed  to  study  the 
scalability  of  the  PrivacyGrid  system  with  respect  to  the 
changing  number  of  mobile  users.  Obviously,  as  the  num¬ 
ber  of  users  in  the  system  increases,  we  can  expect  the  cloak¬ 
ing  time  for  all  algorithms  to  decrease  as  messages  will  be 
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anonymized  more  easily,  but  the  update  costs  for  the  grid- 
based  structures  will  increase.  We  use  a  similar  setup  to  that  in 
Section  6.3.3  with  the  mean  spatial  resolution  fixed  at  800m 
with  5%  standard  deviation.  We  vary  the  number  of  users 
from  10K  to  100K  and  observe  the  effect  on  the  cloaking  time 
and  update  cost.  Figure  12  shows  the  measurement  results. 
From  Figure  12(a)  we  observe  a  number  of  interesting  results. 
First,  the  amount  of  differences  in  cloaking  time  among  the  al¬ 
gorithms  changes  slightly  with  the  increase  in  the  number  of 
mobile  users.  Second,  the  cloaking  time  for  the  Quad  Grid  ap¬ 
proach  is  less  sensitive  to  the  increase  in  the  number  of  users. 
Third,  the  top-down  approach  shows  a  slow  increase  in  cloak¬ 
ing  time  with  the  increase  in  the  number  of  mobile  users  in  the 
system.  This  is  because  the  approach  requires  more  iterations 
as  messages  can  be  cloaked  to  smaller  spatial  regions  now. 
However,  the  bottom-up  approach  displays  a  reverse  trend  — 
the  cloaking  time  decreases  as  the  number  of  users  increases. 
This  is  because  higher  density  of  mobile  users  per  grid  cell 
will  enable  the  bottom  up  cloaking  to  find  the  minimal  cloak¬ 
ing  box  faster.  Finally,  we  observe  that  the  hybrid  approach 
adapts  well  to  the  increase  in  the  number  of  users,  offering 
similar  performance  as  the  bottom-up  approach  in  terms  of 
cloaking  time. 

Figure  12(b)  measures  the  total  number  of  updates  per  sec¬ 
ond  required  to  update  the  grid-based  data  structures  as  the 
number  of  mobile  users  increases.  For  this  experiment,  the 
grid  index  is  maintained  as  a  main  memory  data  structure. 
Each  car  provides  a  location  update  to  the  system  after  moving 
a  distance  of  20m.  We  observe  that  the  Quad  Grid  approach 
uses  the  HGI  data  structure  and  requires  a  large  number  of  up¬ 
dates  as  the  number  of  users  increases.  The  HGI  used  in  this 
experiment  is  a  nine  level  grid  index,  requiring  an  average  of 
10-1 1  updates  per  location  update  request.  In  contrast,  the  dy¬ 
namic  cloaking  approaches  use  the  simple  grid  index,  requir¬ 
ing  only  1.8-1. 9  updates  per  location  update  request,  which  is 
significantly  lower  than  the  Quad  Grid  approach  in  terms  of 
update  cost. 

6.3.5  Effects  of  Maximum  Temporal  Resolution 

This  set  of  experiments  is  dedicated  to  study  the  effects  of  uti¬ 
lizing  maximum  temporal  resolution  values  to  delay  the  mes¬ 
sage  anonymization  process  within  an  acceptable  time  period. 
Again  we  use  the  same  experimental  setup  as  in  Section  6.3.3. 
We  measure  the  success  rate  by  varying  both  maximum  tem¬ 
poral  resolution  dt  from  15  seconds  to  60  seconds  (mean  val¬ 
ues  with  5%  standard  deviation)  and  varying  the  maximum 


(a)  Dynamic  Cloaking  (b)  Quad  Grid  Cloaking 

Fig.  13:  Effects  of  Temporal  Tolerance 


spatial  resolutions  from  500m  to  800m.  Figure  13(a)  displays 
the  results  for  the  dynamic  grid  cloaking  approaches  and  Fig¬ 
ure  13(b)  shows  the  results  for  the  Quad  Grid  approach.  We 
observe  that  the  use  of  maximum  temporal  resolution  helps 
increase  the  fraction  of  messages  being  cloaked  for  both  the 
dynamic  approaches  and  the  Quad  Grid  approach  by  10-20%. 

7  Related  Work 

The  k-anonymity  approach  to  privacy  protection  was  first 
developed  for  protecting  published  medical  data  [23,  22].  k- 
anonymity  guarantees  the  inability  to  distinguish  an  individ¬ 
ual  record  from  atleast  k  —  1  other  records.  [9,  18]  attempt 
to  provide  solutions  for  optimal  k-anonymization.  Person¬ 
alization  of  privacy  requirements  has  attracted  attention  re¬ 
cently  [14,  26].  Other  related  work  includes  anonymization 
of  high  dimensional  relations  [8]  and  extending  the  concept 
of  k-anonymization  via  l-diversity  [20],  t-closeness  [19]  and 
m-invariance  [27]. 

The  concept  of  location  k-anonymity  was  introduced 
in  [16]  where  k  is  set  to  be  uniform  for  all  users.  The  con¬ 
cept  of  personalized  location  k-anonymity  with  customizable 
QoS  specifications,  first  introduced  in  [14],  is  adopted  by  sev¬ 
eral  others  [21,  15].  Most  solutions  for  location  privacy  adopt 
the  trusted  third  party  model  which  has  been  successfully  de¬ 
ployed  in  other  areas  such  as  Web  browsing  [1].  Two  rep¬ 
resentative  approaches  to  personalized  location  anonymiza¬ 
tion  are  the  CliqueCloak  algorithm  introduced  in  [14]  and  the 
Capser  system  [21].  The  CliqueCloak  algorithm  relies  on  the 
ability  to  locate  a  clique  in  a  graph  to  perform  location  cloak¬ 
ing,  which  is  expensive  and  shows  poor  performance  when  k 
is  large.  The  Casper  approach  addresses  location  anonymiza¬ 
tion  using  the  pyramid  data  structure  and  allows  the  system  to 
quickly  locate  cloaking  boxes.  However,  due  to  the  coarse  res¬ 
olution  of  the  pyramid  structure  and  the  lack  of  QoS  support, 
the  cloaking  areas  in  Casper  are  much  larger  than  necessary, 
leading  to  poor  QoS  perceived  by  the  user. 


8  Conclusion  and  Future  Work 

We  have  described  PrivacyGrid  —  a  framework  for  sup¬ 
porting  anonymous  location-based  queries  in  mobile  informa¬ 
tion  systems.  This  paper  has  made  three  unique  contributions. 
First,  we  propose  to  use  location  k-anonymity  and  location  1- 
diversity  as  the  two  location  hiding  measures  and  maximum 
spatial  resolution  and  maximum  temporal  resolution  as  the 
two  location  service  quality  measures.  Second,  we  develop 
the  Quad  Grid  approach  and  three  dynamic  grid  based  spa¬ 
tial  cloaking  algorithms  for  providing  location  fc-anonymity 
and  location  /-diversity  in  a  mobile  environment.  The  Quad 
Grid  cloaking  algorithm  is  fast  but  has  lower  anonymization 
success  rate.  The  dynamic  grid  cloaking  algorithms  provide 
high  anonymization  success  rate  and  yet  are  efficient  in  terms 
of  both  time  complexity  and  update  cost.  Third  but  not  the 
least,  we  incorporate  the  maximum  temporal  resolution  into 
the  location  cloaking  process,  which  leads  to  further  increase 
in  the  success  rate  of  location  anonymization  by  introducing 
controlled  delay  in  terms  of  when  to  start  location  anonymiza¬ 
tion.  We  also  described  the  PrivacyGrid  mechanisms  for 
processing  perturbed  range  queries.  Our  experimental  evalu¬ 
ation  shows  that  the  PrivacyGrid  approach  is  efficient  and 
effective  for  performing  personalized  location  anonymization, 
while  providing  optimal  location  anonymity  as  defined  by  per 
user  location  privacy  preference  profiles. 
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